JDK-6763530 : Cannot decode PublicKey (Provider SunPKCS11, curve prime256v1)
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u10,6u18,7
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,solaris_10,windows_xp
  • CPU: generic,x86,sparc
  • Submitted: 2008-10-24
  • Updated: 2011-12-05
  • Resolved: 2010-02-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 Other
6u29-revFixed 7 b84Fixed OpenJDK6Fixed
Related Reports
Duplicate :  
JDK-6779460 - sun.security.ec.ECParameters.decodePoint expects a plain byte array, can't handle DER octet string.
Description
FULL PRODUCT VERSION :
java version "1.6.0_10"
Java(TM) SE Runtime Environment (build 1.6.0_10-b33)
Java HotSpot(TM) Client VM (build 11.0-b15, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
PKCS#11 library interface version 2.01
                            flags 0
                   manufacturerID "nCipher Corp. Ltd"
               libraryDescription "nCipher PKCS#11 1.58.48"
           implementation version 1.58

A DESCRIPTION OF THE PROBLEM :
A public key from a key pair, generated with SunPKCS11 provider and nCipher (elliptic curve key with curve e.g. prime256v1) could not encode with publicKey.getEncoded()

nCipher returns DER encoded key correct (debug output):

2008-10-17 15:30:32 [4048] t3700: pkcs11: 000008CB <    CKA_EC_POINT
  pAtt->pValue= 67 bytes
    04410438 70a3889c eb8aca99 5cca05b2 7667ccaa 8f272e0c 7a535af5 79d31993
    8f962902 dbd859d7 24d6f1c1 b870654b 8faf41f2 41202134 7b59fc72 2a681023
                                                                      5ab4e6

2008-10-17 15:30:32 [4048] t3700: pkcs11: 000008CB <    CKA_EC_PARAMS
  pAtt->pValue= 10 bytes
                                                      06082a86 48ce3d03 0107




STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Generate a ec key pair with SunPKCS11 provider.
Get the public key.
Try getEncoded.



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The DER encoded public ec key
ACTUAL -
java.lang.RuntimeException

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.RuntimeException: Could not parse key values
	at sun.security.pkcs11.P11Key$P11ECPublicKey.fetchValues(P11Key.java:1005)
	at sun.security.pkcs11.P11Key$P11ECPublicKey.getEncodedInternal(P11Key.java:1015)
	at sun.security.pkcs11.P11Key.getEncoded(P11Key.java:109)
	at Test.run(Test.java:45)
	at Test.main(Test.java:52)
Caused by: java.io.IOException: Point does not match field size
	at sun.security.ec.ECParameters.decodePoint(ECParameters.java:75)
	at sun.security.pkcs11.P11ECKeyFactory.decodePoint(P11ECKeyFactory.java:61)
	at sun.security.pkcs11.P11Key$P11ECPublicKey.fetchValues(P11Key.java:1002)
	... 4 more


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
import java.security.KeyPairGenerator;
import java.security.Provider;
import java.security.Security;
import java.security.spec.ECGenParameterSpec;

import sun.security.pkcs11.SunPKCS11;


public class Test {
    
    private Test(){
      ByteArrayOutputStream   byteStream  = new ByteArrayOutputStream();
      PrintStream ps = new PrintStream(byteStream);
      ps.println("name = nCipher");
      ps.println("library = c:/nfast/toolkits/pkcs11/cknfast.dll");
 
      ps.println("attributes = compatibility");
      ps.println("slotListIndex = 0"); // nCipher module slot
      
      ps.println("attributes(*, CKO_PRIVATE_KEY, *) = {");
      ps.println("  CKA_DERIVE = false");
      ps.println("  CKA_SENSITIVE = true");
      ps.println("  CKA_EXTRACTABLE = false");
      ps.println("  CKA_TOKEN = true");
      ps.println("}");
      
      ps.println("attributes(*, CKO_PUBLIC_KEY, *) = {");
      ps.println("  CKA_TOKEN = true");
      ps.println("}");
      
      InputStream config = new ByteArrayInputStream(byteStream.toByteArray());
      Provider pkcs11Provider = new SunPKCS11(config);
      Security.addProvider(pkcs11Provider);
        
    }
    
    private void run() throws Exception{
        KeyPairGenerator asymKeyGen = KeyPairGenerator.getInstance("EC", "SunPKCS11-nCipher");
        asymKeyGen.initialize(new ECGenParameterSpec("1.2.840.10045.3.1.7"));
        byte[] encodedPublicKey = asymKeyGen.genKeyPair().getPublic().getEncoded();
        // ...

    }
    
    public static void main(String [] args) {
        try {
            (new Test()).run();
        }catch (Throwable e){
            e.printStackTrace();
            System.exit(1);
        }
        System.exit(0);
    }
}
---------- END SOURCE ----------
Comments
EVALUATION Apply the supplied patch.
22-01-2010